RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1072292 - Libvirt report incorrect message when starting domain with nwfilter whose chain priority is greater than its filter rule priority
Summary: Libvirt report incorrect message when starting domain with nwfilter whose cha...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-04 10:23 UTC by Hu Jianwei
Modified: 2015-04-09 16:07 UTC (History)
7 users (show)

Fixed In Version: libvirt-1.2.7-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1210183 (view as bug list)
Environment:
Last Closed: 2015-03-05 07:30:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0323 0 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2015-03-05 12:10:54 UTC

Description Hu Jianwei 2014-03-04 10:23:21 UTC 
Description of problem:
Libvirt can not assign nwfilter to domain, that nwfilter's chain priority is greater than its filter rule priority

Version-Release number of selected component (if applicable):
libvirt-1.1.1-25.el7.x86_64
qemu-kvm-rhev-1.5.3-50.el7.x86_64
kernel-3.10.0-97.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Set the rule priority is less than -500, and add this nwfilter to domain's interface.
(chain's priority(-500) is bigger than rule's priority(-501).)
[root@intel-e5530-8-2 ~]# virsh nwfilter-dumpxml my
<filter name='my' chain='arp-jiahu' priority='-500'>
  <uuid>f280dd7d-32f6-4c5c-a64f-be28ebbb8a53</uuid>
  <rule action='accept' direction='inout' priority='-501'/>
</filter>

2. Start the domain with that nwfilter.
[root@intel-e5530-8-2 ~]# virsh dumpxml r7 | grep interface -A10
    <interface type='network'>
      <mac address='52:54:00:cd:4b:78'/>
      <source network='default'/>
      <model type='rtl8139'/>
      <filterref filter='my'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
...
[root@intel-e5530-8-2 ~]# virsh start r7
error: Failed to start domain r7
error: Error while building firewall: Some rules could not be created for interface vnet0: Failure to execute command '$EBT -t nat -A J-vnet0-arp  -j ACCEPT' : 'Chain 'J-vnet0-arp' doesn't exist.'.


Actual results:
As shown above.

Expected results:
1. If it's allowed, please enable it, the domain should be started with such nwfilter.
2. If work as design, please improve the error message, show friendly message to user.
Comment 1 Stefan Berger 2014-03-13 22:48:36 UTC 
The fix for this issue has now been pushed to the upstream repo:

commit 5a2b17beb89c648db5d8e145615b4e8128c7bd8b
Author: Stefan Berger <stefanb.ibm.com>
Date:   Thu Mar 13 18:30:09 2014 -0400

    nwfilter: Fix rule priority problem

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1072292

    Fix a problem related to rule priorities that did not allow to
    have rules applied that had a higher priority than the chain they
    were in. In this case the chain did not exist yet when the rule
    was instantiated. The solution is to adjust the priority of rules
    if the priority of the chain is of higher value. That way the chain
    will be created before the rule.

    Signed-off-by: Stefan Berger <stefanb.ibm.com>
Comment 3 Hu Jianwei 2014-11-24 10:42:56 UTC 
Verified the bug as below:

[root@ibm-x3850x5-06 ~]# rpm -q libvirt
libvirt-1.2.8-7.el7.x86_64

[root@ibm-x3850x5-06 ~]# virsh nwfilter-dumpxml my
<filter name='my' chain='arp-jiahu' priority='-500'>
  <uuid>f280dd7d-32f6-4c5c-a64f-be28ebbb8a53</uuid>
  <rule action='accept' direction='inout' priority='-501'/>
</filter>

[root@ibm-x3850x5-06 ~]# virsh dumpxml r7 | grep /interface -B6
    <interface type='network'>
      <mac address='02:54:00:36:c6:d0'/>
      <source network='default'/>
      <model type='virtio'/>
      <filterref filter='my'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
[root@ibm-x3850x5-06 ~]# virsh start r7
Domain r7 started

[root@ibm-x3850x5-06 ~]# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Bridge chain: libvirt-I-vnet0, entries: 1, policy: ACCEPT
-p ARP -j I-vnet0-arp-jiahu

Bridge chain: libvirt-O-vnet0, entries: 1, policy: ACCEPT
-p ARP -j O-vnet0-arp-jiahu

Bridge chain: I-vnet0-arp-jiahu, entries: 1, policy: ACCEPT
-j ACCEPT 

Bridge chain: O-vnet0-arp-jiahu, entries: 1, policy: ACCEPT
-j ACCEPT 

The domain with such nwfilter can boot up normally, moved to Verified.
Comment 4 Wayne Sun 2015-01-28 08:11:41 UTC 
This is fixed on rhel7 and upstream, but still exist on rhel6.
Tested with exact step on:
libvirt-0.10.2-46.el6.x86_64
Comment 6 errata-xmlrpc 2015-03-05 07:30:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html
Note You need to log in before you can comment on or make changes to this bug.